Does sshd's MaxAuthTries setting do what you want?

Not quite. I'd like it to build a "hosts.deny"-like list so that after a number of failures, the connection couldn't be reestablished. If I understand this, it would log & drop the connection, but the far-seide could still restart the connection. Its and anti-hammering technique to prevent dictionary attacks.

That is what Denyhosts does, it denies people after X-amount of unsuccessful tries. and then puts the IP in the hosts.deny file.

Sorry, I didn't realize that was what DenyHosts referred to. I assumed it was hosts.deny. Thanks for the tip!

I also had similar issues (lots of login attempts in the log files). I changed the ssh settings first but I also found the following Iptables based solution somewhere on the net. It should drop the packets from an IP address if there has been 3 unsuccessful login attempts in the last 60 seconds (I don't know much about iptables and what I just said could be wrong, sorry ) :

You put this in /etc/rc.d/rc.firewall and make the file executable:

Yes there is: fail2ban

http://www.fail2ban.org

From their Website:

Well if you can get access to your router from the internet that means if someone breaks it he breaks into 192.168.1 (or whatever your subnet is). and that means that he can start hacking your ip from the router. If I understand it right it's just 2 boxes needed to be hacked before someone gets access to your pc, instead of one

Which is why running any network accessible services directly on your router/firewall box is a bad idea if you care about security.

See the "ssh attack blocking plan" at http://maplepark.com/~drf/consults/linux.html It may work for you.

Dave

Supplement the previous plan with mac address filtering and static IPs (though mac addresses can be spoofed), close any services on the router, filter ssh etc. by mac addresses (iptables rules?) etc.

Security is a work-in-progress, not an end-solution.

I get lots of attempts like this for years. Since I use strong passwords I get no troubles yet.

But some questions are still unclear for me.

1. If somebody tries to log with username what does not exist he can see the 'user dose not exist' answer?

2. If he tries to log an existing user with wrong password, can he see that the username is good but the password is not?

3. Is it possible to see information like wrong password attempts? I mean if somebody tries to log as root with bad password "password" can I make some list of the passwords what was tried? So if somebody tries more passwords I can list them?

Nope. He'll get no feedback. Only the permission denied (publickey,password).
I do recommend you move your ssh port out of the range that nmap scans by default. Anywhere high up is good. My first month of running an ssh server gave me roughly 90,000 break in attempts. I moved the port up, and since then it stopped. I have not had an attack since (lazy script kiddies)


Interesting. I dunno.

you can do sshd: ALL: DENY in hosts.deny, and then just add the hosts or IPs you want to allow in hosts.allow. that in itself can go a long way to locking it down, along with a firewall rule and using authenticated keys. and if you change the port, that's even another added layer of protection.

I use ssh constantly on my LAN, and those techniques seem to have kept me safe from any attacks.

Please note that while this advice will probably keep the stone-cold idiots out of the system, it doesn't actually increase security. If you want to actually make ssh more secure, you need to follow the advice about strong passwords or keys, disallowing root or locking down the IP range that the system can be accessed from. If you just move the ssh port and don't take these sorts of steps then the people you really need to worry about will still be able to find ssh and exploit it.

Yes, excellent! Moving the port up gives no enhanced security, it should be read as 'in addition to' not 'instead of'.

It keeps the logs a lot cleaner. Simple bot attacks wont pass this 'first hurdle' (note to script kiddies: man nmap && nam ssh should give you an idea of what you are doing wrong). A human with half a notion of what he's doing wont be bothered by port numbers.


But the latter now stick out in the logs.


Would it be safe to assume btw that anyone who has the knowledge to move ssh to a different port also has the knowledge to appreciate the value of long and complicated passwords and out-of-the-ordinary login names??
I mention the latter as brute force attacks often guess regular user names (of an Anglo-Saksen signature, ie a lot of patricia's, eric's and richard's, but not a lot of günter's, wilhelm's or marietje's... giving us non-Engish a little unexpected edge in computer security )